Information Technology Enthusiast

Subscribe To

Wednesday, April 7, 2010

Blogger is a great platform and worked well for me over the past few months; but recently I have been given the opportunity to be apart of http://securegossip.com/about/ and I humbly accepted it. In short, SecureGossip was created to unite all security & IT[secure coding, system administration,
etc. that leads to complete security] blogs under one roof.

Thank you to all the current readers and I hope to be exposed to more readers on this new platform, I will keep this blog up for a while before taking it down, but all new posting will be on the new site.

Thursday, April 1, 2010

What are ADS or Alternative data streams?Alternate data streams allow more than one data stream to be associated with a filename, using the filename format "filename:streamname" (e.g., "text.txt:extrastream"). Alternate streams are not listed in Windows Explorer, and their size is not included in the file's size. Only the main stream of a file is preserved when it is copied to a FAT-formatted USB drive, attached to an e-mail, or uploaded to a website. As a result, using alternate streams for critical data may cause problems.

Why you should care about ADS?One reason you should care is even though this has been around for quite some time now its still has a very high rate of success when implemented in a piece of malware. The ability to hide behind a know system file without changing the file size can be very deceiving.

Another important reason as stated by http://www.rootkitanalytics.com/, is due to this hidden nature of ADS, hackers have been exploiting this method to secretly store their Rootkit components on the compromised system without being detected. For example, the infamous Rootkit named 'Mailbot.AZ' aka 'Backdoor.Rustock.A' used to hide its driver file into system32 folder (C:\Windows\system32) as a stream '18467'.

Below is a brief illustration of what this looks like:

Now before you start worrying yourself there is hope on the horizon thanks to tools like "StreamArmor" .

What is Stream Armor you might ask?

StreamArmor is the sophisticated tool for discovering hidden alternate data streams (ADS) as well as clean them completely from the system. It's advanced auto analysis coupled with online threat verification mechanism makes it the best tool available in the market for eradicating the evil streams. StreamArmor comes with fast multi threaded ADS scanner which can recursively scan over entire system and quickly uncover all hidden streams. All such discovered streams are represented using specific color patten based on threat level which makes it easy for human eye to distinguish between suspicious and normal streams.

Or as I prefer to call it, the first step in the first direction... Don't get me wrong the are other great tools out there like streams from Microsoft or Gmer but after using StreamArmor recently I don't see how I could go back to those tools.

I decided to see how StreamArmor would performs when compared to two of their competitors (Streams and Gmer ). I created several ADS samples and split them up into two folders on my C drive, then scanned both folders with each program twice.

My sample streams included the following:

12 streams in total

I placed various files (exe, png, and avi) behind a few .txt, .doc, bmp and .pub documents.

I then encrypted one of those files, zipped two of them (one with Windows 7 build in compression and the other with winrar).

Microsoft Streams Results 9 out of 12

Gmer scan results: 5 out of 12

StreamArmor results: 9 out of 12

In the end both StreamArmor and MS Streams found 9 out of 12, none of them found the ADS that were zipped or the one that was encrypted (not that I expected the encrypted files to be discovered). At this point I am as confident as when I started writing this post "StreamArmor is my preferred choice". The ability to export great reports, easy to do run customize scans, and overall the results are not difficult to interpret.

Tuesday, March 30, 2010

This posting initially started off as a discussion on the "Yahoo Computer Business group" by Hank Cranmore from http://www.mobitech4u.com/corporateservices.html . The discussion was surrounding cloud commuting and the damaging effects it will soon have on most computer technicians businesses. This is due in part to how affordable it is to run your small business virtually from the cloud and drastically reduce the need for support contracts or better yet on site technical support.

Technicians are people skilled in a particular area. They serve their
purpose in the strategic sense of demand and need until eventually, as
with all things like this before, down thru history, technology replaces
the technician.

Let me repeat that, "Technology replaces the technicians".

To make it worse, technicians are historically weak during periods of
economic downturns or other disasters that destabilize their ability to
continue to do what they do in the face of a more efficient and cheaper
competitor.

Here are some favorite examples of mine from history of when technology
replaces technicians in the past.

Example #1 - Spinning thread. In today's terminology a person who is
skilled at spinning fibers by hand into thread or yarn would be labeled a
Spinning Tech. They were replaced by a series of rapidly evolving
technology. But not to fear, those that did not starve to death got jobs
by the thousands working 12 hour shifts tending to the machines of the
textile factories that replaced them.

Example #2 - Computer. Not our modern day computers, but people who in a
time of great illiteracy could perform math computations with great
skill. The word computer has existed since at least 300 AD. Up until the
point in time they were replaced by machines, human computers were
employed wide and far. They were the first computer techs. The first
computer business was similar to a CPA but was not limited to money. A
business could send a batch of calculations to the corner computer shop
and it would be processed by hand, by computer techs into final numbers.
One of the largest calculations in history processed by human computers
was 21,000 pages long and took 7 years to complete. Something had to
change. The first computer techs were put out of business by machines
set in motion by Charles Babbage. Not sure what happen to those techs,
but it was just in time for WW I, the great depression labor camps
(CCC), WW II and the growth of Corporations.

What will replace the computer tech? Technology!

Ever hear of a calculator tech lately? Nope!

The calculator on my desk is cheap, disposable and now that I think of
it, I dont even need to change the battery. It could run forever! If I
break it, I replace it. All I need to do is to buy it and operate it.

If I did break it and did not have time to go buy another one, I would
just turn to a virtual calculator on my computer or a calculator app out
on the internet, or "The Cloud".

But what if that little calculator could also be any business machine I
needed it to be? An internet interface?

The ultimate end of computer techs will be the "Walmart" scenario. When
replacing your internet interface is as cheap and easy as going to the
corner Walmart, picking the color and style of your choice and paying
less than a new shirt to replace the shirt you lost as a computer tech.

Prior to that, as the work and demand goes away, former techs will work
by the thousands for tech mills such as central repair depots, remote
support centers and Onforce type dispatch services. Again awaiting the
final "Walmart" stage.

Freelance techs can evolve into Technology Consultants and then
Technology Consultants can evolve into Business Consultants.

Eventually, virtual hardware and software activation cards hanging on
hooks at Walmart like gift cards will replace most technology
consultants and then preconfigured activation "suites/packages" cards
will threaten most business consultants.

But do not worry. History has proven that techs will be taken care of
one way or the other after they are replaced.

Independence? Many weavers and spinners enjoyed great independence while
it lasted. When it ended, it was bad. Ironically, it was only when
weavers were without work did the last "die hards" focus on becoming
experts at marketing and sales as a last resort to bring in more
business. Eventually the need to support a family forced them to join
the ranks of employees again.

Thursday, March 18, 2010

Problem: While configuring our NetMRI appliance I notice that I was unable to view the configuration for serveral of our Routers and Switches, if I looked under Network Explorer --> Devices à Entire Netork I can see I have 20 devices but under the "Configuration Management" tab I am only able to see 6 devices.

Fig 1

Fig2

After clicking on one of the devices from within the "Network Configuration" tab, and selecting the "Errors" option I was greeted with the below message:

Fig 3Solution:After receiving the above error I knew it was time to log into this Switch and re-configure the SSH RSA key.

Switch Commands to delete the SSH rsa key then recreate a new one:
config t
no crypto key rsa (naturally you would think this is the command, but it's not instead it tells you the correct command)crypto key zeroize rsacrypto key generate rsa
1024 (when ask for the RSA key bit)wr mem

Once that's done the next step is the log into the NetMRI appliance to reset the authentication information and update the device. This will occur automatically after 24 hours, or you can do it manually but navigating to Network Explorer --> Devices
then click on the device in question and go to the "Settings" tab -->"Config File Collection" and click "Reset Authentication info" then "Update" and lastly "Get Configs".

Check your error tab again for good measure if all goes well look under the config tab and you should now be able to manage the configuration on this device.

Monday, March 15, 2010

I am working on a project whereby I have to configure our entire Network Infrastructure and a few high profile servers to be monitors by NetMRI and our Orion. Now since most of our devices are already being monitored by several other devices in the pass, I will try to illustrate the approach I took while doing this project.

Phase 1 (Backup and Cleanup)

It’s extremely important to make sure you backup your current running configuration before making any changes, and if you do have to make changes try to do them off hours so if something does goes wrong you wouldn’t get a million calls coming into the HelpDesk from angry workers. Before attempting the below you will need to first setup a TFTP server on your computer, here is a link to one of my favorites àhttp://tftpd32.jounin.net/.

During this phase, I first logged into each appliance and run the following commands just to get a quick idea of what user accounts are configured on the device, and what are the SNMP settings.

sh run | inc snmp

sh run | inc user

Once I have gotten the above information I can build my configuration file. In our case we are removing old community strings and SNMP host while at the same thing updating the devices with the new information.

Tuesday, March 9, 2010

Yesterday I received a call from a user who was unable to do the following, "Use the Mark Complete flag" in Outlook or "Copy message from their inbox to a share public folder". After researching the issue I came across this article from Microsoft that solved the issue.

Solution:

To resolve this issue, remove the explicit Deny for the Everyone group on these permissions:

1. Start Exchange System Manager. 2. Under the Folders object, right-click the Public Folders object, and then click Properties.

Fig1

3. Click the Security tab, and then click the Everyone group.

4. Click to de-select the Deny check box for the three following permissions:

* Create public folder
* Create top level public folder
* Create named properties in the information store

Thursday, February 25, 2010

I got the following message when I was attempting to change the DNS address on a few of my VMware Servers today.

The IP address
XXX.XXX.XXX.XXX you have entered for this network adapter is already assigned to
another adapter Name of adapter. Name of adapter is hidden from the network and
Dial-up Connections folder because it is not physically in the computer or is a
legacy adapter that is not working. If the same address is assigned to both
adapters and they become active, only one of them will use this address. This
may result in incorrect system configuration. Do you want to enter a different
IP address for this adapter in the list of IP addresses in the advanced dialog
box?

In this message,
XXX.XXX.XXX.XXX is an IP address that you are trying to set and Name of adapter
is the name of a network adapter that is present in the registry but hidden in
Device Manager.

I tried Microsoft's suggestion in this article "http://support.microsoft.com/?kbid=269155" however it didn't work for me. I had to create a "system environment variable" and give it the value of "1". Once that was completed I was able to follow the rest of the article. I removed all hidden adapters except for the "RAS Adapter" and I was then able to add the new IP address.

How to create a system variable:

On a Windows machine right click "My
Computer" --> Properties --> Advanced tab--> Environment
Variables--> System variables -->Click new -->
Specify a "Variable name" (devmgr_show_nonpresent_devices) and the "Variable value" which is 1